Fed Websites to Accept External Credentials

More than 72,000 public users accessing information on National Institute of Health servers since June 2010 have used externally issued credentials, saving the Department of Health and Human Services agency nearly $3 million over five years.

The savings comes from NIH not having to manage user IDs and passwords on some 50 systems, says Federal CIO Steven VanRoekel.

VanRoekel's comments came in a memorandum he issued earlier this month to departmental and agency chief information officers to permit agencies to leverage externally issued credentials in addition to continuing to offer federally issued ones to authenticate users.

The memo calls for executive branch agencies to accept approved, externally issued credentials when they upgrade or develop Level 1 government websites that allow the public to register or log on. Websites requiring credentials with higher levels of assurance - Levels 2, 3 and 4 - should also be enabled to accept approved externally issued credentials when appropriate (see box for Office of Management and Budget definition of the four levels).

"In basic terms, this means that solutions from firms like Equifax, Google, PayPal, Symantec and Wave Systems - all of whom have had their credentialing solutions certified to meet federal security and privacy requirements - can be trusted identity providers for certain types of federal applications," White House Cybersecurity Coordinator Howard Schmidt writes in a blog.

Schmidt says a handful of identity providers have undergone or are undergoing the federal approval process. "We are eager to see - particularly at the higher levels of credential assurance - a larger, vibrant pool of accredited identity providers to provide more choices for people and federal agencies," he says. "The federal government has developed a viable framework for using federated digital credentials, and with this memorandum, taken a significant step towards creating a more efficient government that can meet the needs of the American people in the 21st century. Now we look to the private sector to support our efforts and reap the collective benefits."

VanRoekel says the initiative will take effect 90 days after final approval by the Federal CIO Council and General Services Administration of at least one trusted framework provider identified in an attachment to the memorandum.

The Obama administration in April unveiled the federal government/private-sector strategy that it said would eventually let users obtain a single credential as a one-time digital password in the form of software on a mobile device, a smart card or token to transact business over the Internet (see Single Digital Password Credential Sought).

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.